diff --git a/CHANGES b/CHANGES index 5e2513734d..d2421b974e 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +2702. [func] Update PKCS#11 tools (bin/pkcs11) [RT #20225 & all] + 2701. [doc] Correction to ARM: hmac-md5 is no longer the only supported TSIG key algorithm. [RT #18046] diff --git a/README.pkcs11 b/README.pkcs11 index 81bd4176a9..5b6fac4fd9 100644 --- a/README.pkcs11 +++ b/README.pkcs11 @@ -9,9 +9,8 @@ and other cryptographic support devices. BIND 9 is known to work with two HSMs: The Sun SCA 6000 cryptographic acceration board, tested under Solaris x86, and the AEP Keyper -network-attached key storage device, tested with a Debian Linux system. -(The Keyper has also been tested with Windows Server 2003 and found to -work, but with some stability problems that have not yet been resolved.) +network-attached key storage device, tested with a Debian Linux system, +Solaris x86 and Windows Server 2003. PREREQUISITES @@ -24,30 +23,37 @@ is available from the OpenSolaris project. It has been modified by ISC to work with with BIND 9 and to provide new features such as PIN management and key by reference. +The PKCS#11 engine supports two flavors: + - the crypto-accelerator which uses the PKCS#11 device for all crypto + operations it supports. This is the right choice for the SCA 6000. + - the sign-only which was stripped down and provides only the + useful features for a secure key store. The Keyper must use this + flavor. + The modified OpenSSL depends on a "PKCS #11 provider". This is a shared library object, providing a low-level PKCS #11 interface to the HSM hardware; it is dynamically loaded by OpenSSL at runtime. The PKCS #11 provider comes from the HSM vendor, and and is specific to the HSM to be controlled. -The modified OpenSSL code is included in BIND 9.7.0a3 release in the form -of a context diff against OpenSSL 0.9.8i. Before building BIND 9 with +The modified OpenSSL code is included in BIND 9.7.0b1 release in the form +of a context diff against OpenSSL 0.9.8k. Before building BIND 9 with PKCS #11 support, it will be necessary to build OpenSSL with this patch in place and inform it of the path to the HSM-specific PKCS #11 provider library. -Obtain OpenSSL 0.9.8i: +Obtain OpenSSL 0.9.8k: - wget http://www.openssl.org/source/openssl-0.9.8i.tar.gz + wget http://www.openssl.org/source/openssl-0.9.8k.tar.gz Extract the tarball: - tar zxf openssl-0.9.8i.tar.gz + tar zxf openssl-0.9.8k.tar.gz Apply the patch from the BIND 9 release: - patch -p1 -d openssl-0.9.8i \ - < bind-9.7.0a3/contrib/pkcs11-keygen/openssl-0.9.8i-patch + patch -p1 -d openssl-0.9.8k \ + < bind-9.7.0b1/bin/pkcs11/openssl-0.9.8k-patch (Note that the patch file may not be compatible with the "patch" utility on all operating systems. You may need to install GNU patch.) @@ -63,17 +69,8 @@ We will use this location when we configure BIND 9. not provide hardware cryptographic acceleration. It can carry out cryptographic operations, but it is probably slower than your system's CPU, so it is most efficient to use it only for operations - that require the secured private key. - - The patched OpenSSL source tree includes two versions of the PKCS #11 - engine; one uses the HSM for all cryptographic operations, and the - other only uses it for signing. The signing-only engine is recommended - for the Keyper. To build OpenSSL with the signing-only engine: - - cp openssl-0.9.8i/crypto/engine/hw_pk11-kp.c \ - openssl-0.9.8i/crypto/engine/hw_pk11.c - cp openssl-0.9.8i/crypto/engine/hw_pk11_pub-kp.c \ - openssl-0.9.8i/crypto/engine/hw_pk11_pub.c + that require the secured private key. This is why the PKCS#11 + engine flavor shall be 'sign-only'. The Keyper-specific PKCS #11 provider library is delivered with the Keyper software. In this example, we place it /opt/pkcs11/usr/lib: @@ -86,9 +83,10 @@ We will use this location when we configure BIND 9. Finally, the Keyper library requires threads, so we must specify -pthread. - cd openssl-0.9.8i + cd openssl-0.9.8k ./Configure linux-generic32 -m32 -pthread \ --pk11-libname=/opt/pkcs11/usr/lib/libpkcs11.so \ + --pk11-flavor=sign-only \ --prefix=/opt/pkcs11/usr After configuring, run "make" and "make test". If "make test" fails @@ -98,13 +96,15 @@ We will use this location when we configure BIND 9. EXAMPLE 2--BUILDING OPENSSL FOR THE SCA 6000 ON SOLARIS: The SCA-6000 PKCS #11 provider is installed as a system library, - libpkcs11. + libpkcs11. It is a true crypto accelerator, up to 4 times faster + than any CPU, so the flavor shall be 'crypto-accelerator'. In this example, we are building on Solaris x86 on an AMD64 system. - cd openssl-0.9.8i + cd openssl-0.9.8k ./Configure solaris64-x86_64-cc \ --pk11-libname=/usr/lib/64/libpkcs11.so \ + --pk11-flavor=crypto-accelerator \ --prefix=/opt/pkcs11/usr (For a 32-bit build, use "solaris-x86-cc" and /usr/lib/libpkcs11.so.) @@ -117,6 +117,8 @@ line: (pkcs11) PKCS #11 engine support +<<"apps/openssl engine -t" to see if initialization is correct (available)>> + If the output is correct, run "make install". BUILDING BIND 9 @@ -133,7 +135,7 @@ library must be specified via configure. we are building on a 64-bit host, we must force a 32-bit build by adding "-m32" to the CC options on the "configure" command line. - cd ../bind-9.7.0a3 + cd ../bind-9.7.0b1 ./configure CC="gcc -m32" --enable-threads \ --with-openssl=/opt/pkcs11/usr \ --with-pkcs11=/opt/pkcs11/usr/lib/libpkcs11.so @@ -143,10 +145,10 @@ library must be specified via configure. To link with the PKCS #11 provider, threads must be enabled in the BIND 9 build. - cd ../bind-9.7.0a3 + cd ../bind-9.7.0b1 ./configure CC="cc -xarch=amd64" --enable-threads \ --with-openssl=/opt/pkcs11/usr \ - -with-pkcs11=/usr/lib/64/libpkcs11.so + --with-pkcs11=/usr/lib/64/libpkcs11.so (For a 32-bit build, omit CC="cc -xarch=amd64".) @@ -208,6 +210,10 @@ otherwise the PCKS #11 engine will look for the key on disk rather than in the HSM. If you forget to do this, dnssec-keyfromlabel will return "not found".) +<> +<> + The resulting K*.key and K*.private files can now be used to sign the zone. Unlike normal K* files, which contain both public and private key data, these files will contain only the public key data, plus an